b"                 Fiscal Year 2003 Evaluation of Information Security\n\n                          at the Railroad Retirement Board \n\n                        Report No. 03-11, September 15, 2003 \n\n\n\n                                    INTRODUCTION\n\n\nThis report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid out in excess of $8 billion in benefits during\nfiscal year (FY) 2002.\n\nThe RRB\xe2\x80\x99s information system environment consists of two general support systems\nand seven major application systems. The two general support systems are the data\nprocessing system, which supports all mainframe computing activity, and the end-user\ncomputing system, which supports the agency\xe2\x80\x99s local (LAN) and wide area networks.\n\nThe major application systems correspond to the RRB\xe2\x80\x99s critical operational activities:\npayment of RRA and RUIA benefits, maintenance of compensation and service records,\nadministration of Medicare entitlement, financial management, personnel/payroll, and\nthe RRB\xe2\x80\x99s financial interchange with the Social Security Administration. Each\napplication system is comprised of one or more programs.\n\nThis evaluation was conducted pursuant to the E-Government Act of 2002 (P.L. 107-\n347), Title III, the Federal Information Security Management Act of 2002 (FISMA).\nFISMA, like its predecessor the Government Information Security Reform Act (GISRA),\nestablishes program management and evaluation requirements including:\n\n      \xe2\x80\xa2   annual agency program reviews,\n      \xe2\x80\xa2   Inspector General security evaluations,\n      \xe2\x80\xa2   an annual agency report to the Office of Management and Budget (OMB), and\n      \xe2\x80\xa2   an annual OMB report to Congress.\n\nInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide integrity, confidentiality and availability. FISMA requires agencies to report\nsignificant deficiencies in policy, procedure or practice as material weaknesses in\ninternal control in reports issued pursuant to the Federal Managers\xe2\x80\x99 Financial Integrity\nAct.\n\x0cThe OIG conducted security evaluations pursuant to GISRA during FY 2001 and \n\nFY 2002 and issued reports dated February 5, 2002 and August 27, 2002. These \n\nevaluations disclosed weaknesses throughout the RRB\xe2\x80\x99s information security program. \n\nThe OIG cited the agency with material weaknesses due to significant deficiencies in \n\naccess controls in both the mainframe and end-user computing environments and in the \n\ntraining provided to staff with significant security responsibilities. Evaluations conducted \n\nduring FY 2000 and FY 2001 by specialists under contract to the OIG had disclosed the \n\nneed for improvements in security controls in both the data processing and end-user \n\ncomputing support systems. \n\n\nObjective, Scope and Methodology\n\nThe objective of this evaluation was to fulfill the requirements of FISMA by assessing\nthe effectiveness of the RRB\xe2\x80\x99s information system security program and practices\nduring FY 2003.\n\nIn order to accomplish our objective, we monitored agency efforts to implement\ncorrective actions in response to the findings and recommendations presented in prior\nOIG audit reports as well as third-party evaluations conducted at the request of the OIG\nincluding:\n\n   \xe2\x80\xa2\t \xe2\x80\x9cInformation Systems Security Assessment Report,\xe2\x80\x9d Defensive Information\n      Operations Group, National Security Agency, June 28, 2000;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of RRB\xe2\x80\x99s Compliance with the Critical Infrastructure Assurance\n      Program,\xe2\x80\x9d August 9, 2000, OIG Report #00-13;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Document Imaging: Railroad Unemployment Insurance Act\n      Programs,\xe2\x80\x9d November 17, 2000, OIG Report #01-01;\n   \xe2\x80\xa2   \xe2\x80\x9cSite Security Assessment,\xe2\x80\x9d Blackbird Technologies, Inc., July 20, 2001;\n   \xe2\x80\xa2   \xe2\x80\x9cSecurity Controls Analysis,\xe2\x80\x9d Blackbird Technologies, Inc., August 17, 2001;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of Information Security at the Railroad Retirement Board,\xe2\x80\x9d February 5,\n      2002, OIG Report #02-04;\n   \xe2\x80\xa2\t \xe2\x80\x9cReview of the Railroad Retirement Board\xe2\x80\x99s Controls Over the Access,\n      Disclosure, and Use of Social Security Numbers by Third Parties,\xe2\x80\x9d August 26,\n      2002, OIG Report # 02-11; and\n   \xe2\x80\xa2\t \xe2\x80\x9cFiscal Year 2002 Evaluation of Information Security at the Railroad Retirement\n      Board,\xe2\x80\x9d August 27, 2002, OIG Report #02-12.\n\nWe also considered the findings and recommendations reported as a result of the\nfollowing evaluations conducted during FY 2003:\n\n   \xe2\x80\xa2\t \xe2\x80\x9cEvaluation of the Self-Assessment Process for Information System Security,\xe2\x80\x9d\n      December 27, 2002, OIG Report #03-02;\n\x0c    \xe2\x80\xa2\t \xe2\x80\x9cEvaluation of RRB E-Government Initiative: RUIA Contribution Internet\n       Reporting and Payment,\xe2\x80\x9d December 27, 2002, OIG Report #03-03; and\n    \xe2\x80\xa2\t \xe2\x80\x9cReview of the Systems Development Life Cycle for End-user Computing,\xe2\x80\x9d\n       September 8, 2003, OIG Report #03-10.\n\nOur work was performed in accordance with generally accepted government auditing\nstandards as applicable to the objective. Fieldwork was conducted at RRB\nheadquarters during May through August 2003.\n\n                                 RESULTS OF EVALUATION\n\nAgency management continues the process of strengthening information security.\nHowever, significant deficiencies in access controls and program management continue\nto exist. As a result, information security remains an area of material weakness in\ninternal control.\n\nThe OIG\xe2\x80\x99s conclusions with respect to information system security are based on:\n\n    \xe2\x80\xa2\t previously reported weaknesses in training and access controls for which\n       corrective action has not been completed;\n    \xe2\x80\xa2\t FY 2003 evaluations that disclosed weaknesses in the agency\xe2\x80\x99s information\n       security program; and\n    \xe2\x80\xa2\t the OIG\xe2\x80\x99s assessment of data security and access controls related to the RRB\xe2\x80\x99s\n       E-Government initiative for RUIA contributions.\n\nOur findings with respect to the implementation status of prior recommendations for\ncorrective action and a summary of weaknesses identified during our FY 2003\nevaluations follow.\n\nStatus of Prior Recommendations for Corrective Action\n\nResponsible management and staff in the Bureau of Information Services (BIS) have\nimplemented, or plan to implement, most of the recommendations for improved\ninformation security resulting from evaluations by the OIG and technical specialists\nunder contract to the OIG.\n\nThe OIG monitored 119 recommendations for corrective action. To date, 61 have been\nfully implemented and ten have been rejected.1\n\nAlthough agency management has completed many of the recommended corrective\nactions, the RRB has not completed corrective action to remediate the previously\n\n\n1\n  These totals include recommendations presented in OIG Report #03-02 and #03-03. These totals do\nnot include recommendations presented in OIG Report #03-10 which were finalized after the end of\nfieldwork and for which the status of implementation was not monitored during FY 2003.\n\x0creported deficiencies in training and access controls that were the basis for the OIG\xe2\x80\x99s\nfinding of material weakness.\n\nA summary of the status of audit recommendations pertaining to information system\nsecurity is presented in Appendix I.\n\nEvaluations Conducted During FY 2003\n\nDuring FY 2003, the OIG continued to provide oversight to the RRB\xe2\x80\x99s information\nsecurity program by conducting an evaluation of the effectiveness of the agency\xe2\x80\x99s self-\nassessment process for information system security. We also assessed the\neffectiveness of the RRB\xe2\x80\x99s efforts in incorporating security requirements into the\nsystems development life cycle for end-user computing. These evaluations revealed\nweaknesses in both processes that undermine the effectiveness of the agency\xe2\x80\x99s\ninformation security program.\n\nWe also documented and assessed security procedures over the Internet DC-1 filing\nprocess, including data security and access to RRB systems in connection with the\nRRB E-Government initiative for RUIA contributions. This project identified weaknesses\nin the implementation and administration of security features in this Internet-based\nsystem.\n\nSecurity Self-Assessment Process\n\nInformation security self-assessment is a key part of the annual agency program review\nprocess. The self-assessment process is used to determine the current status of a\nsecurity program, and where necessary, to establish a target for improvement. The\nNational Institute of Standards and Technology (NIST) has published a self-assessment\nguide that presents a standardized approach for assessing system security.\n\nThe RRB\xe2\x80\x99s self-assessment process for information system security has not been\neffective in assessing the current status of the RRB\xe2\x80\x99s security program as a basis for\nfuture improvement. Our review disclosed that the agency\xe2\x80\x99s FY 2002 self-assessment\nprocess was weakened by inadequate coverage of NIST objectives, elements and\ntechniques; anonymous, incomplete responses to the questionnaire that served as its\nbasic evaluation tool; and a lack of supporting documentation.\n\nThe RRB\xe2\x80\x99s FY 2003 self-assessment is currently underway. The process is being\nfacilitated with a NIST compliant tool, but has not been evaluated by the OIG for\nefficiency and effectiveness.\n\nConsideration of Security in the Systems Development Life Cycle for End-User\nComputing\n\nExisting procedures and controls are not adequate to ensure the integration of security\nin systems developed for the end-user computing environment in accordance with\nexisting agency requirements.\n\x0cIn addition, the RRB has not implemented a risk-based approach to pre-implementation\nauthorization of systems development projects. In a risk-based approach to the\nsystems development life cycle, higher levels of management authorize implementation\nof those projects that pose the greatest risk.\n\nWe attribute these weaknesses to the lack of a comprehensive certification and\naccreditation process. As a result, newly developed systems exhibit a lack of applied\naudit trails, weak authentication methods and poor access controls. 2\n\nSecurity Procedures Over the Internet DC-1 Filing Process\n\nAs part of its responsibilities under the RUIA, the RRB collects employer contributions\nwhich are used to fund the RUIA program. Employers make contributions and report\nthem to the RRB on a quarterly basis using Form DC-1. In March 2002, the RRB\nmodified the existing payment system to add a new option for electronic payment over\nthe Internet, and Internet filing of the DC-1 reports for those railroads that adopt the\nInternet payment option.\n\nThe OIG\xe2\x80\x99s assessment of security procedures over the Internet DC-1 filing process\ndisclosed that:\n\n    \xe2\x80\xa2\t the contractor administering the system had not fully implemented restrictions on\n       password use and limits on log-on attempts;\n    \xe2\x80\xa2\t authorized users were sharing their account, password and personal\n       identification number with unauthorized users;\n    \xe2\x80\xa2\t certification of the Internet DC-1 cannot be adequately validated resulting in the\n       risk of repudiation of the information contained therein; and\n    \xe2\x80\xa2\t the memorandum of understanding governing this process does not adequately\n       address the privacy and security of the data being transmitted, nor were all\n       concerned entities party to the memorandum of understanding.\n\nPlan of Action and Milestones is Not an Effective Tool\n\nThe RRB\xe2\x80\x99s plan of action and milestones (POA&M) does not adequately articulate\nweaknesses in the agency\xe2\x80\x99s information security program and planned corrective\nactions.\n\nOMB has mandated the development of a formal POA&M to identify vulnerabilities in\ninformation security and track the progress of corrective action. OMB requires the\ninspectors general, as part of the FISMA reporting process, to assess whether their\n\n2\n  BIS declined the OIG\xe2\x80\x99s recommendation (Report #03-10) for development of a formal certification and\naccreditation process. In their response, management stated that \xe2\x80\x9crather than develop new or changed\nprocedures, the issue of non-compliance with existing procedures should be addressed.\xe2\x80\x9d They plan to\ndefer a determination concerning the need for a formal certification and accreditation process until NIST\nfinalizes pertinent standards. NIST is currently circulating draft standards for Federal certification and\naccreditation processes (NIST SP 800-37).\n\x0cagencies have developed a POA&M that serves as the authoritative tool used to identify\nand monitor agency actions. In addition, OMB has cited the failure to maintain a\ncomprehensive POA&M as a significant deficiency in an agency\xe2\x80\x99s security program.\n\nThe RRB\xe2\x80\x99s POA&M is incomplete and insufficiently detailed. The 10 outstanding\nvulnerabilities presented in the agency\xe2\x80\x99s POA&M do not include known areas of\nvulnerability, such as:\n   \xe2\x80\xa2   LAN backup,\n   \xe2\x80\xa2   service packs in the headquarters end-user computing environment,\n   \xe2\x80\xa2   the mainframe database management system, and\n   \xe2\x80\xa2   the existing certification and accreditation process.\n\nIn addition, we believe that the POA&M should be expanded to distinguish between\ncertain vulnerabilities related to lack of training and insufficient policy and procedure.\nThe agency has combined some vulnerabilities for which the corrective actions are\nlargely un-related. The POA&M currently distinguishes between general security\nawareness training and the need for specialized vendor supplied training. As a basis for\nmore effective prioritization, the POA&M should identify three levels of training:\n\n   \xe2\x80\xa2   security awareness training for all employees;\n   \xe2\x80\xa2\t higher level training for staff outside BIS who participate in security-related\n      processes, such as user analysts and systems administrators; and\n   \xe2\x80\xa2\t specialized technical training for employees in BIS who have significant\n      responsibility for security administration or systems development.\n\nSimilarly, the RRB\xe2\x80\x99s current POA&M presents a single vulnerability relating to policies\nand procedures that include revisions to three major areas of responsibility that are\naddressed in separate agency documents. The POA&M should be expanded to\naddress the three areas separately:\n\n   \xe2\x80\xa2   overall security,\n   \xe2\x80\xa2   disaster recovery, and\n   \xe2\x80\xa2   systems development.\n\nWe also noted that the agency\xe2\x80\x99s POA&M process places the burden of developing\naction plans on the agency\xe2\x80\x99s security officer. Although agency procedure requires\nprogram officials to furnish plans detailing recommended corrective action for control\nweaknesses identified during their program reviews, such plans are not consistently\nprepared and submitted.\n\nThe POA&M is not the only tool being used within the RRB to monitor and track agency\nprogress in achieving an effective, compliant system of information system security.\nThe agency\xe2\x80\x99s security officer maintains detailed records concerning the status of known\n\x0cvulnerabilities and the OIG monitors the status of its recommendations for corrective\naction, and circulates status reports to responsible agency management on a semi-\nannual basis.\n\nThe OIG does not consider the POA&M to be an effective tool for identifying\nvulnerabilities and monitoring agency corrective actions according to criteria established\nby OMB. However, the process of remediation, as a whole, is adequately coordinated\nand monitored using other tools. Accordingly the OIG does not consider the\ndeficiencies in the RRB\xe2\x80\x99s POA&M to be a material weakness in the agency\xe2\x80\x99s security\nprogram.\n\nRecommendations\n\nWe recommend that BIS:\n\n   1. review and revise the RRB\xe2\x80\x99s POA&M, and\n\n   2. remind program managers to identify vulnerabilities and develop action plans.\n\nManagement\xe2\x80\x99s Response\n\nManagement disagrees with the recommendation to review and revise the RRB\xe2\x80\x99s\nPOA&M stating that \xe2\x80\x9c[t]he POA&M was designed by the Office of Management and\nBudget (OMB) to fulfill their reporting requirements\xe2\x80\x9d and that \xe2\x80\x9c[w]e have received no\nfeedback from OMB to indicate the reports are insufficient or inadequate.\xe2\x80\x9d\n\nBIS has agreed to issue a reminder to program officials concerning their responsibility to\nreport any identified information security vulnerability and to provide a corresponding\nplan of action for remediation.\n\nThe full text of management\xe2\x80\x99s response is included as Appendix II to this report.\n\nOIG\xe2\x80\x99s Comments\n\nOMB Memorandum 03-19, dated August 6, 2003, specifically directs the Inspectors\nGeneral to report on the sufficiency of agency POA&M in their annual FISMA mandated\nreport on information security. Since OMB has asked for the OIG\xe2\x80\x99s assessment, the\nabsence of any prior criticism by OMB has no significance to our evaluation.\n\nThe OIG\xe2\x80\x99s criticism of the RRB\xe2\x80\x99s POA&M pertains to its value as the designated\nmedium of internal and external reporting for which purpose we found it to be\ninadequately detailed in several respects. The availability of other information does not\nmitigate the impact of inadequacies on those readers, such as OMB, who may expect to\nrely on the POA&M as the sole source of information about identified vulnerabilities and\nthe status of remediation efforts. Our acknowledgement of the agency\xe2\x80\x99s other\nmonitoring tools was intended to recognize that deficiencies in the POA&M were not\ndue to a lack of management oversight or information.\n\x0cAccess to the SURGE System is Not Granted Based on Least Privilege\n\nAccess to the Survivor G-90 Expeditor (SURGE) system is not granted based on the\nprinciple of least privilege. Least privilege is the practice of restricting a user's access\n(to data files, processing capability, or peripherals) or type of access (read, write,\nexecute, or delete) to the minimum necessary to perform his or her job. As a result,\nsome individuals have received and retained access to a system that they did not\nrequire for the performance of their assigned duties.\n\nThe SURGE system automates requests for an earnings and computation record used\nin the payment of survivor benefits. Access to the SURGE system is granted to those\nindividuals who are also granted access to the DATA-Q system, an informational\nsystem that provides the current status of RRA benefits. The SURGE system accepts\ndata input and produces documentary evidence of certain computations used in annuity\ncalculations based on that input.\n\nDecisions concerning security should be risk-based, documented and periodically\nsubject to review. In establishing security requirements for the SURGE system,\nmanagement did not recognize that granting access to all DATA-Q users would weaken\nsecurity.\n\nRecommendation\n\n   3. \t The Chief Information Officer should obtain an evaluation of the security needs of\n        the SURGE system from the system owner.\n\nManagement\xe2\x80\x99s Response\n\nManagement concurs with the recommendation and has agreed to request that the\nsystem owners of DATAQ and Surge review the access granted to users employing the\nprinciple of least privilege. Should the results of this review indicate that users having\naccess to the SURGE system violates the least privilege principle, the Chief Information\nOfficer will request system changes as appropriate.\n\nThe full text of management\xe2\x80\x99s response is included as Appendix II to this report.\n\x0c                                                                                                                      Appendix I\n               SUMMARY OF AUDIT RECOMMENDATIONS PERTAINING TO INFORMATION SECURITY\n                                       As of March 31, 2003\n\n                                                                                   RECOMMENDATIONS FOR CORRECTIVE ACITON\n\n                                                                        REPORT\n                                                                         DATE       OFFERED     REJECTED    IMPLEMENTED\n  National\n  Security     Information Systems Security Assessment Report           06/28/00      19            5             8\n  Agency\nOIG Report     Review of RRB\xe2\x80\x99s Compliance with the Critical\n                                                                        08/09/00       2                          2\n  #00-13       Infrastructure Assurance Program\n\nOIG Report     Review of Document Imaging: Railroad Unemployment\n                                                                        11/17/00       3                          2\n # 01-01       Insurance Act Programs\n\n  Blackbird\n               Site Security Assessment                                 07/20/01      12            2             7\nTechnologies\n\n  Blackbird\n               Security Controls Analysis                               08/17/01      38            3            28\nTechnologies\n\nOIG Report     Review of Information Security at the Railroad\n                                                                        02/05/02      28                         12\n  #02-04       Retirement Board\n               Review of RRB\xe2\x80\x99s Controls Over the Access,\nOIG Report\n               Disclosure, and Use of Social Security Numbers by        08/26/02       1                          1\n # 02-11\n               Third Parties\nOIG Report     Fiscal Year 2002 Evaluation of Information Security at\n                                                                        08/27/02       3                          1\n # 02-12       the Railroad Retirement Board\n\nOIG Report     Evaluation of the Self-Assessment Process for\n                                                                        12/27/02       4                          -\n  #03-02       Information Security\n\nOIG Report     Evaluation of the RRB E-Government Initiative: RUIA\n                                                                        12/27/02       9                          -\n # 03-03       Contribution Internet Reporting and Payment\n                                                                                     =====        =====         =====\n                                                                                      119           10            61\n\x0c\x0c\x0c"